Attack ‘bypasses’ Microsoft’s zero-day protection tool

Researchers have demonstrated an attack that completely bypasses the protections offered by EMET – a Microsoft toolkit used to provide safeguards against zero-day attacks, according to Ars Technica, who reported on Bromium Labs’ demonstration this week..

Ars Technica’s Dan Goodin described it as, “an impressive feat that suggests criminal hackers are able to do the same thing when exploiting vulnerabilities that allow them to surreptitiously install malware.”

The Enhanced Mitigation Experience Toolkit (EMET) is a free download which enhances PC security, and is particularly useful to PC users with older versions of Windows, rather than the latest Windows 8.1, which ships with many of its protections built in, according to Bit-Tech’s report.

Researchers at Bromium Labs say that EMET is vulnerable to custom-built exploits – and demonstrated an attack that circumvented all the protections offered by EMET, published as a white paper here. The researchers presented their research to Microsoft before publication.

Describing EMET as, “Standard, basic protection – certainly not perfect, but no software is — but good enough for a number of older attacks and flaws,” ZDNet said that the proof-of-concept exploit code showed, “There are limitations to the free software and [the demonstration] includes real-world examples where damage control functions – sprung after the detection of malicious code – were fully bypassed.”

Bromium’s researchers were keen to emphasise that EMET is by no means irrelevant – but that the free tool has limitations.

“EMET is a viable personal and corporate defense add-on, but given other researchers have found EMET bypasses before, we sought to understand how EMET is vulnerable to the presence of novel exploits,” said Rahul Kashyap, chief security architect and head of security research, Bromium.

In the white paper, Bromium researchers wrote, “”As was seen in our research, deploying EMET does mean attackers have to work a little bit harder; payloads need to be customized, and EMET bypass research needs to be conducted. Thus, EMET is good for the price (free), but it can be bypassed by determined attackers.”

The researchers said, “Microsoft freely admits that it is not a prefect protection, and comments from Microsoft speakers at conference talks admit that as well.
The objective of EMET is not perfection, but to raise the cost of exploitation. So the question really is not can EMET be bypassed. Rather, does EMET sufficiently raise the cost of exploitation? The answer to that is likely dependent upon the value of the data being protected.